All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Fortinet FortiGate Add-On for Splunk: How to use only the Fortigate Add-on to parse logs

cesarfabre
Explorer
‎07-05-2019 01:05 PM

Hello,
I have a FortiGate 300e with FortiOS 6.0.4, and would like to index only the security events in Splunk.
Also, I want to use only the Fortigate Add-on for the parse of the logs.
I do not want to use the Fortigate APP because I will build my own dashboard. Is this possible?

Does anyone have experience with this?

Tks

Reply

cesarfabre
Explorer
‎07-10-2019 06:23 AM

Hi Burak,

For the Palo Alto Firewall I was able to do the indexing of the logs via Palo Alto Add-on only. I've used 3 files in the local directory, such as:

Inputs.conf
[udp: // 5514]
sourcetype = pan: log
no_appending_timestamp = true
index = pancompany_logs

Props.conf
[pan: log]
TRANSFORMS-drop = discard-traffic

Transforms.conf
[discard-traffic]
REGEX =, TRAFFIC,
DEST_KEY = queue
FORMAT = nullQueue

Help!!!
How do I configure the inputs, props and transforms in FortiGate Add-on?

I would like to drop traffic logs (ex.: type="traffic") and index only security logs (ex.: type="utm") from FortiGate.

Can you help me?

Tks

0 Karma
Reply

ldunzweiler
Engager
‎10-03-2019 08:18 AM

Did you get this working? I am working on this myself right now. Only want the utm logs but on top of this only specific fields within those logs.

UTM gets very sizable in our environment and we have a constraining license.

0 Karma
Reply

burakcinar
Path Finder
‎07-06-2019 04:25 AM

hi ,

you can deploy related TA to your indexer and heavy forwarder only, you don't need to deploy APP to search head or any splunk role if you don't want their dashboard.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...